Data storage systems implement encryption to prevent unauthorized access to data stored within. The implementation of data encryption may vary from one data storage system to another. For example, some data storage systems may encrypt all data according to a same encryption scheme. The same access credential or encryption key may be used to access any of the data stored in the storage system. However, in some scenarios, it may not be desirable to protect all data stored in a data storage system in the same manner. Instead, different portions of the data may be encrypted differently. For instance, different data objects, such as data folders, files, records, or volumes of data may be encrypted according to different encryption schemes. In this way, different access privileges to different data may be provided and potential compromise of data to unauthorized access may be limited to those data objects for which the encryption key has been compromised.
Managing multiple encryption schemes in data storage systems can prove complex. Distributed storage systems, for instance, may store different copies, parts, or versions of a data object in many different locations. Each of these locations may need to implement similar access controls in order to provide consistent access privileges to the data object. To do this, distribution techniques may be implemented to ensure that the appropriate credentials, such as keys, are provided to the different locations for accessing the data object. In large distributed data storage systems, the number of different data items utilizing different encryption schemes as well as the number of locations in which such data items may be distributed can create a substantial workload for the distributed data storage system to ensure that the proper encryption keys are distributed, reducing the availability of resources to perform other distributed data storage system tasks, such as responding to client requests.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that the embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). The words “include,” “including,” and “includes” indicate open-ended relationships and therefore mean including, but not limited to. Similarly, the words “have,” “having,” and “has” also indicate open-ended relationships, and thus mean having, but not limited to. The terms “first,” “second,” “third,” and so forth as used herein are used as labels for nouns that they precede, and do not imply any type of ordering (e.g., spatial, temporal, logical, etc.) unless such an ordering is otherwise explicitly indicated.
Various components may be described as “configured to” perform a task or tasks. In such contexts, “configured to” is a broad recitation generally meaning “having structure that” performs the task or tasks during operation. As such, the component can be configured to perform the task even when the component is not currently performing that task (e.g., a computer system may be configured to perform operations even when the operations are not currently being performed). In some contexts, “configured to” may be a broad recitation of structure generally meaning “having circuitry that” performs the task or tasks during operation. As such, the component can be configured to perform the task even when the component is not currently on. In general, the circuitry that forms the structure corresponding to “configured to” may include hardware circuits.
Various components may be described as performing a task or tasks, for convenience in the description. Such descriptions should be interpreted as including the phrase “configured to.” Reciting a component that is configured to perform one or more tasks is expressly intended not to invoke 35 U.S.C. § 112(f), interpretation for that component.
“Based On.” As used herein, this term is used to describe one or more factors that affect a determination. This term does not foreclose additional factors that may affect a determination. That is, a determination may be solely based on those factors or based, at least in part, on those factors. Consider the phrase “determine A based on B.” While B may be a factor that affects the determination of A, such a phrase does not foreclose the determination of A from also being based on C. In other instances, A may be determined based solely on B.
The scope of the present disclosure includes any feature or combination of features disclosed herein (either explicitly or implicitly), or any generalization thereof, whether or not it mitigates any or all of the problems addressed herein. Accordingly, new claims may be formulated during prosecution of this application (or an application claiming priority thereto) to any such combination of features. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the appended claims.